With cyber security becomes a growing concern for organisations and individuals, you may have come across the concept of MITM (man-in-the-middle) attacks.
In this blog, we explain everything you need to know about this attack vector, including how they work, when you’re vulnerable to them and what you should do stay safe.
What is a man-in-the-middle attack?
MITM attacks exploit the way data is shared between a website and a user’s device – whether that’s their computer, phone, tablet, etc.
When you visit a website, your device sends an instruction through an Internet router, which is then directed to the website’s server.
The server acknowledges and completes the instruction, sending the information back through the router to the person’s device.
This process happens so quickly that many of us don’t acknowledge how complex it is – and that’s what allows MITM attackers to strike.
Using one of several techniques (which we explain below), attackers compromise the router, allowing them to intercept data in real-time as it flows between the victim’s computer and the server.
This enables them to eavesdrop on what’s being shared, and in some cases modify the interactions. That includes the ability to redirect users to a different website or spoof the destination web address.
How do attacks intercept your data?
Attacks are most likely to occur on public Wi-Fi, because Internet connections are generally less secure than home routers.
That’s not so much a security weakness as it is part of its design. Public Wi-Fi is intended for anyone in the vicinity to use, so naturally it will be less secure than your home or office network, which contains protections that ensure only authorised people can connect.
But how do criminals get in the middle? The first step is to compromise the Internet router, which they can do with tools that scan for unpatched flaws or other vulnerabilities.
Next, they intercept and decrypt the victim’s transmitted data using a variety of techniques.
A basic method is sniffing, in which attackers deploy tools that inspect packets – units of data that are transferred over a network. These can be used to intercept unencrypted information, such as passwords and usernames.
Attackers might also perform packet injection, in which malicious packets are inserted into data communication streams to disrupt victims’ ability to use certain network services or protocols.
A similar version of this attack is known as session hijacking (or cookie hijacking), in which the criminal sniffs sensitive traffic to identify the victim’s session token.
With that information, the attacker uses source-routed IP packets to intercept data as it’s being transferred from the victim’s computer to the server and make requests as though they were the user.
Finally, cyber criminals attempting to intercept traffic from an HTTPS website might conduct an SSL stripping attack. This involves intercepting packets and altering their address to direct the victim to the less secure HTTP equivalent.
HTTP pages don’t encrypt information as it’s being shared, meaning the attacker can sniff information and perform packet injection.
Types of attack
MITM attacks can take many forms, but these are some of the most common:
- IP spoofing
Every device that connects to the Internet does so through an IP address, which is a number assigned to your device based on your physical location.
By spoofing an IP address, criminal hackers can trick you into believing you’re interacting with the website or person you tried to reach.
- Email hijacking
Cyber criminals often target emails between banks and customers with the intention of spoofing the bank’s email address and sending their own instructions. This is a ruse to get the victim to provide their login credentials and payment card details.
- HTTPS spoofing
A general rule of thumb for knowing if a website is genuine is if it has a green lock symbol next to it and begins with ‘https://’ instead of simply ‘http://’.
The extra ‘s’ stands for ‘secure’, indicating that the connection between you and the server has been encrypted and therefore can’t be hijacked.
Unfortunately, attackers have developed a way around this. They create their own website that looks identical to the one you’re trying to reach but with a slightly different URL. A lowercase ‘l’ might become an uppercase ‘I’, for example, or they’ll use letters from the Cyrillic alphabet.
When victims try to reach the legitimate site, the attacker will redirect them to their own site, where they can siphon off information.
Attackers generally do this to steal login credentials for email and website accounts, which they can use to launch targeted attacks like phishing emails. But if the attacker is lucky, the victim will unwittingly visit their online bank portal and hand over their account information.
- Wi-Fi eavesdropping
Instead of exploiting a vulnerability in an existing Wi-Fi connection, attackers might set up their own Internet hotspot and give it an inconspicuous name – such as ‘Café Wi-Fi’.
All they have to do is wait for a victim to connect, at which point they can eavesdrop on their Internet activity.
How to prevent man-in-the-middle attacks
The threat of MITM attacks might make you reluctant to use public Wi-Fi. That’s not the worst advice in the world – at least if you intend on doing anything that could expose sensitive information, such as logging in to your work email account or online bank account.
In these circumstances, it would be preferable to use your mobile data. If you still want to use your laptop, you can use your phone as a wireless hotspot.
However, you must apply appropriate security controls when doing this so that only you can connect to the network.
If mobile data isn’t an option, here are some other steps you can take to protect yourself while using public Wi-Fi:
- Use a VPN
There are many cyber security benefits of using a VPN (virtual private network), such as the fact that it masks your IP address by bouncing it through a private server.
VPNs also encrypt the data as it’s being transmitted over the Internet. This doesn’t make you impenetrable to MITM attacks, but it makes life much harder for crooks and will likely cause them to look for an easier target.
- Only visit HTTPS websites
As with VPNs, HTTPS websites encrypt data and prevent attackers from intercepting communications.
Although it’s possible for criminals to circumvent these protections with HTTPS spoofing or SSL stripping, you can thwart their attempts with a little legwork.
For example, you can avoid HTTPS spoofing by manually typing the web address instead of relying on links.
Likewise, you can detect SSL stripping by checking that the web address indeed begins with ‘https://’ or has a lock symbol indicating that it’s secure.
The MITM attacker can redirect you from a secure site to an insecure one, but it will be clear that this has happened if you check the address bar.
- Watch out for phishing scams
Attackers may use HTTPS spoofing or email hijacking to craft tailored phishing emails.
When done right – such as a phony invoice or a bogus email from your bank asking you to log in to your account – these scams are more lucrative than simply gathering sensitive information and selling it on the dark web.
The good news is that, if you can recognise the signs of a phishing scam, you can protect yourself from whatever techniques attackers use.
It’s a skill that is becoming increasingly important as the end of lockdown approaches. Remote employees may be inclined to work from cafes or other public locations, which could expose the organisations’ sensitive data to MITM attackers.
There’s also the renewed threat of employees working on the go – whether that’s on their commute, if they need to travel for business or if they’re checking their emails during out-of-office hours.
To combat this threat, organisations must train their staff on the threat of phishing.
You can find out how to do this with the help of our Phishing Staff Awareness Training Programme.
With this training course, you’ll learn how phishing attacks work, the tactics that cyber criminals use and what you should do if you’re targeted.
The course content is updated each quarter with current examples of phishing scams and tactics to help reinforce staff awareness of the threats they face.
You’ll also receive a free monthly staff awareness newsletter that includes the tips on phishing scams, including current industry news.
A version of this blog was originally published on 17 February 2020.